Trusted by Thousands Every Day
Security Basics
Your design mockups and data are unique to your account and isolated from others. Any information transmitted between your browser and the Sympli solution is transferred to over https, ensuring the security of the information in transit.
Authentication
Sympli requires authentication for all application pages and resources, except for those specifically intended to be public. All authentication controls must be enforced on a trusted system, and all authentication controls fail securely. Sympli uses TLS-encrypted POST requests to transmit authentication credentials.
We enforce the following password requirements and security standards:
- Passwords are hashed with a random salt
- No plaintext passwords are stored
- Email-based password reset links are sent only to a user's pre-registered email address with a temporary link
Single Sign-On
Sympli lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Sympli using their existing corporate credentials. SSO is an account-level feature available only with the Enterprise or private cloud plans.
PCI Compliance
Sympli uses Stripe for storing payment details and payments processing. Read more about Stripe’s security and PCI Compliance here.
Session Management
Each time a user signs into Sympli, they receive a new, unique authentication token. Each authentication token consists of random data to protect against brute force account credential attacks.
Sign Out
When signing out, the authentication token cookie is deleted from the client and the authentication token is invalidated on Sympli servers.
Encrypted Communication
All communication with Sympli is encrypted using Transport Layer Security (TLS) and is regularly updated to use the strongest ciphersuites and TLS configuration.
User Permissions
Sympli is designed for use cases ranging from small teams to large enterprises. You can invite users to your project or account without giving all team members the same levels of access.
User roles are available for Company, Enterprise and private cloud accounts and provide the ability to manage collaborators and apply different levels of permissions for each user. Each Sympli project can have different authorized users allowing granular control of who gets access to what project. The following list describes the user roles in the Sympli system, the access given to each role, and any other special concerns regarding those roles.
Administrators
Administrators have full access to all projects. They can also add or remove other administrators. If you make someone an Administrator, they can assign themselves to any project belonging to that Account. If you demote an Administrator to any other role, they will remain on the projects they already added themselves to, but they will not be able to see or join other projects.
Users
Users in Company, Enterprise, and private cloud plans can create, edit and upload mockups to projects. A project belongs to a root account, but the project can have multiple Project Administrators. The project creator is automatically turned into Project Administrator. Users can also create new projects and invite collaborators to the project(s) for which they are Project Administrators.
Collaborators
Collaborators can leave comments and upload mockups but can’t delete mockups, change sharing settings or edit projects.
These user permission levels enable customers to configure Sympli users so that they only have access to exactly what they need to collaborate on building digital products effectively.
Audit Logging
Logs are kept at all account levels for changes made to user accounts for both Sympli administrators and end users. Sympli maintains records of the following information:
- Account
- Sign-in
- Sign-out
- Project action
- Mockups/screens actions
- Archive actions
This feature is currently not exposed to end users and log audit is only available by request.
Security Program
The Sympli software development lifecycle (SDLC) includes many activities to ensure security is integrated into Sympli products from the beginning:
- Defining Security Requirements
- Design (threat modeling and analysis, security design review)
- Development controls (static analysis, manual peer code review)
- Testing (dynamic analysis, Bug Bounty Program, 3rd party security vulnerability assessments)
- Deployment controls (security, confidentiality, integrity, and availability code reviews, canary release process)
Sympli platform clients (web, Adobe Photoshop, Adobe XD CC, Sketch, Xcode and Android Studio plugins, and API) are designed with security that, at a minimum, meets OWASP standards for software that is designed, developed, deployed and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
Code Assesments
Sympli’s team also performs code assessments to assure that security best practices are properly embedded into the code that is developed. Code assessments include, but are not limited to:
- Automated source code analysis to find common defects
- Manual source code analysis on security-sensitive areas of code and new features and components
- Third-party reviews performed annually by security consultants
Bug Bounty Program
Found a security vulnerability? Please contact us at contact@sympli.io.
What Data We Collect
To provide the optimum experience to our customers, we collect various pieces of information. Examples of types of data that Sympli's service collects include:
- Customers interactions with application (to analyze and continuously improve the user experience)
- Customer's account number
- Date and time of usage
- Customer's browser, language and operating system versions
- Customer's IP address(es)
Internal Access to Data
Access to Customers' information is restricted within Sympli and is authorized for the purposes of providing direct customer support, marketing or for future product enhancements (for instance, to understand how an engineering change affects a group of customers). Sympli subcontractors may have access to customer data when analyzing or maintaining infrastructure. Sensitive customer data is never shared with anyone outside of Sympli and its subcontractors.
Read more about handling of personal data on Policy page.
Sympli takes the safety and security of your information seriously. We have implemented employee access controls that protect your information from unauthorized use:
- We limit access to your content and information to Sympli employees who require such information to perform their jobs, or as required to provide support to you
- Access to systems containing your sensitive information is logged and audited
- Sympli requires the use of single sign-on, strong passwords and 2-factor authentication (where available)
- Sympli employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer information
- Sympli customers retain responsibility to ensure their use of our service is within compliance of applicable laws and regulations. This is described in the Sympli Terms & Conditions, which can be found on Agreement page
Network Security
Sympli regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
Host Security
All hosts run antivirus software that is kept up to date with security patches.
Incident Response
Sympli has a Security Incident Response Plan designed to quickly and systematically respond to security incidents that may arise. The incident response plan is tested and refined on a regular basis.
Disaster Recovery
Sympli's infrastructure is designed to provide the best experience and to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:
- State of the art cloud providers. We use Amazon Web Services, which are trusted by thousands of businesses, to store and serve our data/services
- Data replication. To help ensure availability in the event of a disaster, we replicate data across multiple data centers
Data Deletion
Sympli will work with the customer if they should request the deletion of all their account data and content. Upon cancellation of Sympli’s service, a customer may request to have their deleted within 30 days of the subscription ending. Sympli may amend this policy in its sole discretion by posting an update to this policy.